Days before Apple was ordered to turn over the iPhone of one of the San Bernardino attackers who killed fourteen in December, cyber experts clashed at the Munich Security Conference over the high stakes of cyber security: for user’s privacy, and for their nations’ safety.
They have been used as a weapon of the Islamic State to distribute propaganda and hack into government websites. They wreaked havoc on the German Bundestag through remotely controlling computers and stealing passwords and administrator rights. They have compromised the security of U.S. military officers through hacking the U.S. Central Command’s Twitter account and posting sensitive information about the officers. And every person who has downloaded apps with personal information onto a smartphone can make himself vulnerable to them. Whether cyber-attacks damage national defense infrastructure or Google users’ personal data, cyber security can no longer be considered a side issue on the international stage. At the Munich Security Conference (MSC), a group of cyber experts gathered to discuss proposals for the way forward.
The main tension lies between the government’s interest in access to information, and the Internet provider’s responsibility to protect its users’ privacy. Google’s Vice President for Security and Privacy Gerhard Eschelbeck said at the event “Trolls, Hackers, and Extremists,” hosted by the MSC, Amerika Haus, and the U.S. Consulate in Munich, that governments are working to limit tools that secure networks. On Tuesday afternoon, just five days after Mr. Eschelbeck’s critique of such government intervention, Magistrate Judge Sheri Pym of the Federal District Court for the District of Central California ordered Apple to create a “backdoor” to unlock information on the San Bernardino attacker’s iPhone.
In his February 16 response to the magistrate’s request, in the form of a public message to Apple customers, CEO Tim Cook claimed that the FBI wanted Apple to “make a new version of the iPhone operating system, circumventing several important security features” and that “in the wrong hands, this software—which does not exist today—would have the potential to unlock any iPhone in someone’s physical possession.”
And herein lies the dilemma: If the courts decide that Apple, and the rest of the data industry, has the law on its side, it may become increasingly difficult for intelligence agencies to have access to data that could prevent future attacks by those such as the Islamic State or the San Bernardino gunmen. On the other hand, if the technology is created that could get around security mechanisms in any phone, without oversight, citizens have an increased chance of not only their private data being compromised, but the technology could be used to compromise national security information as well if it falls into the wrong hands.
At the Munich forum, Mr. Eschelbeck proposed that “governments need to work together so no roadblocks are made to securing infrastructure.” Encryption needs to be strengthened, he said, two-factor authentication needs to replace passwords as a way to access accounts, and architecture needs to be created so that if a system is hacked into, the attackers can’t have access to the entire infrastructure.
The Estonian president Hendrik Ilvers, whose country was one of the first to encounter hacking on a national scale when the entire government, banks, and most of the service sector was put off line through a Denial of Service attack in 2007, said at the Munich event that users should be more concerned about their own laxness with the Internet giants, not government intervention. Everyone who has downloaded Facebook or Google apps to their smartphone has carte blanche given the Internet providers access to personal data, he said.
U.S. Department of State Cyber Coordinator Christopher Painter said that the problem can only be addressed if the private sector is brought in on the conversation and cyber security is addressed on an international level.
“We need to raise awareness on international law in the cyber security realm,” Mr. Painter told the panel. “This does not mean creating a new legal regime,” he explained later that evening. “Existing international law applies to cyberspace just as it does in the physical world. But we do need to work at the international level in articulating how existing international law applies in this area. We also need to build an international consensus on norms of appropriate state behavior in cyberspace that will lead to greater stability in the long term and work with all stakeholders—including governments, the private sector, and civil society—to combat cyber threats.”
At an MSC panel the next day, Director of National Intelligence James Clapper said encryption will continue to be necessary, as will the U.S. commitment to the “U.S.-EU Privacy Shield,” which ensures that European citizens’ data will not be subjected to mass surveillance.
Mr. Clapper agreed that in an era of increased security threats in the cyber sphere, citizens’ privacy needs to be protected. Without an infrastructure that can protect user privacy and national security, states make themselves even more vulnerable to attacks.
In an increasingly networked world, private companies run by private citizens using private cell phones provide public services. In Germany, 80 percent of critical government infrastructure is run by private companies. Should vital services such as energy, telecommunications, or transport be disabled through a cyber hack or Denial of Service attack, it could cost a nation millions and have dire consequences for citizens and private companies.
This is not an abstract problem for Germans and Americans. While the global cost of cyber-crime is $385 billion, the highest loss in dollars due to cyber-crime occurs in Germany, at 1.6 percent of GDP, with the United States second with .64 percent of GDP. On average, the cost of a cyber-attack to the private company in the European Union is $8.9 million per year, compared to $12.7 million per company in the United States.
How can this dilemma be solved? While the Cybersecurity Directive of 13 March 2014—part of the EU’s much touted Digital Agenda—facilitates information sharing between public and private sectors across the EU, and ensures that certain private sector bodies providing critical infrastructure make the necessary changes to deal with cybersecurity threats, two years later, these changes remain more ideals than reality. This legislation must move from paper to action to ensure that security and privacy are protected.
A streamlined system is needed to get the private sector and government entities to have improved cybersecurity standards in the United States. This will not work without an oversight commission to ensure that the private and public sectors are working together and that cybersecurity standards are being both implemented and kept up to date.
This has never been, and will never be, a one-man job. Extremism can only be held at bay and data security protected in a new cyber world order when users and creators of technology agree to keep radicals powerless.
Dr. Sarah Lohmann teaches international human rights and security policy at the Universität der Bundeswehr in Munich.
 Silja Meyer-Nieberg, Stefan Pickl, Martin Zsifkovits, “Quantitative Methods of Future Studies,” Study for the Bundeswehr Planning Office, Universität der Bundeswehr München, 2014.
 Center for Strategic and International Studies, “Net Losses: Estimating the Global Cost of Cybercrime,” June 2014, http://csis.org/files/attachments/140609_rp_economic_impact_cybercrime_report.pdf.
 Ponemon Institute, “2014 Global Report on the Cost of Cybercrime,” 30 October 2014.